IlyaSobolev/DocSpace-buildtools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
DocSpace-buildtools/config/nginx/onlyoffice.conf

417 lines
11 KiB
Plaintext
Raw Permalink Blame History

map $http_host $this_host {
"" $host;
default $http_host;
}
map $http_cloudfront_forwarded_proto $cloudfront_forwarded_proto {
default $http_cloudfront_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
"" $cloudfront_forwarded_proto;
}
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
default $http_x_forwarded_host;
"" $this_host;
}
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
map $uri $basename {
~/(?<captured_basename>[^/]*)$ $captured_basename;
}
map $request_uri $header_x_frame_options {
~*^/(favicon\.ico|products\/files\/share|products\/files\/saveas|products\/files\/filechoice|products\/files\/doceditor|thirdparty\/plugin) "";
default "SAMEORIGIN";
}
map $request_uri $cache_control {
default "no-cache, no-store, no-transform";
~*\/(filehandler\.ashx\?action=(thumb|preview))|\/(storage\/room_logos\/root\/.*\?hash.*|storage\/userPhotos\/root\/.*\?hash.*|storage\/whitelabel\/root\/.*\?hash.*|storage\/static_partnerdata\/root\/.*\?hash.*) "must-revalidate, no-transform, immutable, max-age=31536000";
~*\/(api\/2\.0.*|storage|login\.ashx|filehandler\.ashx|ChunkedUploader.ashx|ThirdPartyAppHandler|apisystem|sh|remoteEntry\.js|debuginfo\.md|static\/scripts\/api\.js|static\/scripts\/sdk\/.*|static\/scripts\/api\.poly\.js) "no-cache, no-store, no-transform";
~*\/(static\/images\/.*)|\/(_next\/public\/images\/.*)|\.(js|woff|woff2|css)|(locales.*\.json) "must-revalidate, no-transform, immutable, max-age=31536000";
}
map $request_uri $content_security_policy {
"" "";
~*\/(ds-vpath)\/ "default-src *; script-src * 'unsafe-inline' 'unsafe-eval'; script-src-elem * 'unsafe-inline'; img-src * data:; style-src * 'unsafe-inline' data:; font-src * data:; frame-src * ascdesktop:; object-src; connect-src * ascdesktop:;";
}
include /etc/nginx/includes/onlyoffice-*.conf;
server_names_hash_bucket_size 128;
server {
listen 8092;
add_header Referrer-Policy "same-origin";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options $header_x_frame_options;
add_header Cache-Control $cache_control;
add_header Permissions-Policy "autoplay=(), geolocation=(), camera=(), microphone=(), interest-cohort=()";
root $public_root;
etag on;
large_client_header_buffers 4 16k;
client_max_body_size 4G;
gzip on;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
gzip_min_length 1000;
gzip_proxied any;
fastcgi_read_timeout 600;
fastcgi_send_timeout 600;
fastcgi_keep_conn on;
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO "";
proxy_http_version 1.1;
proxy_set_header Host $this_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header Proxy "";
set $csp "";
access_by_lua '
local accept_header = ngx.req.get_headers()["Accept"]
if ngx.req.get_method() == "GET" and accept_header ~= nil and string.find(accept_header, "html") and not ngx.re.match(ngx.var.request_uri, "ds-vpath|/api/") then
local key = string.format("csp:%s",ngx.var.host)
local redis = require "resty.redis"
local red = redis:new()
local redis_host = "127.0.0.1"
local redis_port = 6379
local redis_pass = ""
red:set_timeout(1000) -- 1 second
local ok, err = red:connect(redis_host, redis_port)
if not ok then
ngx.log(ngx.ERR, "failed to connect to redis: ", err)
return
end
if redis_pass ~= "" then
local res, err = red:auth(redis_pass)
if not res then
ngx.log(ngx.ERR, "failed to authenticate: ", err)
return
end
end
local csp, err = red:hget(key, "data")
if csp == ngx.null or not csp then
ngx.log(ngx.INFO, "failed to get redis key: ", err)
else
ngx.header.Content_Security_Policy = csp
end
end
';
location ~* ^/ds-vpath/ {
rewrite /ds-vpath/(.*) /$1 break;
proxy_pass http://172.18.0.4:80;
proxy_redirect off;
client_max_body_size 100m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host/ds-vpath;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
add_header Content-Security-Policy $content_security_policy;
}
location ^~ /dashboards/ {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd_dashboards;
rewrite ^/dashboards(/.*)$ $1 break;
proxy_pass http://127.0.0.1:5601;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
location / {
proxy_pass http://127.0.0.1:5001;
proxy_redirect off;
location ~* /(manifest.json|sw.js|appIcon(.)*\.png|icon.svg|bg-error.png|debuginfo.md) {
try_files /$basename /index.html =404;
}
location ~* /static/css/ {
try_files /css/$basename /index.html =404;
}
location ~* /static/fonts/(?<content>[^/]+) {
try_files /fonts/$content/$basename /index.html =404;
}
location ~* /static/offline/ {
try_files /offline/$basename /index.html =404;
}
location ~* /thirdparty/ {
try_files /thirdparty/third-party.html /index.html =404;
}
location ~* /static/locales/(?<content>[^/]+) {
try_files /locales/$content/$basename /index.html =404;
}
location ~* /static/scripts/(.*)$ {
try_files /scripts/$1 /index.html =404;
}
location ~* /static/plugins/ {
try_files /plugins/$basename /index.html =404;
}
location ~* /static/images/(.*)$ {
try_files /images/$1 /index.html =404;
}
location ~* /static/campaigns/(.*)$ {
try_files /campaigns/$1 /index.html =404;
}
}
location /doceditor {
proxy_pass http://127.0.0.1:5013;
proxy_redirect off;
location ~* /_next/public/images/(.*)$ {
try_files /images/$1 /index.html =404;
}
}
location /login {
proxy_pass http://127.0.0.1:5011;
proxy_redirect off;
location ~* /_next/public/images/(.*)$ {
try_files /images/$1 /index.html =404;
}
}
location /management {
proxy_pass http://127.0.0.1:5015;
proxy_redirect off;
location ~* /static/favicon.ico {
try_files /$basename /index.html =404;
}
location ~* /static/images/(.*)$ {
try_files /images/$1 /index.html =404;
}
location ~* /static/fonts/(?<content>[^/]+) {
try_files /fonts/$content/$basename /index.html =404;
}
rewrite management/(.*) /$1 break;
}
location ~* /static/fonts/(?<content>[^/]+) {
try_files /fonts/$content/$basename /index.html =404;
}
location /sockjs-node {
proxy_pass http://127.0.0.1:5001;
proxy_redirect off;
}
location ~* /s/(.*) {
proxy_pass http://127.0.0.1:5000;
}
location /openapi {
proxy_pass http://127.0.0.1:5003;
location ~*/asc.web.api {
proxy_pass http://127.0.0.1:5000;
}
location ~*/asc.people {
proxy_pass http://127.0.0.1:5004;
}
location ~*/asc.files {
proxy_pass http://127.0.0.1:5007;
}
location ~*/asc.data.backup {
proxy_pass http://127.0.0.1:5012;
}
}
location /api/2.0 {
location ~* /(files|privacyroom) {
proxy_pass http://127.0.0.1:5007;
}
location ~* /(people|group|accounts) {
proxy_pass http://127.0.0.1:5004;
}
location ~* /(authentication|modules|portal|security|settings|smtpsettings|capabilities|thirdparty|encryption|feed|migration) {
proxy_pass http://127.0.0.1:5000;
location ~* portal/(.*)(backup|restore)(.*) {
rewrite (.*)/portal/(.*) $1/backup/$2 break;
proxy_redirect off;
proxy_pass http://127.0.0.1:5012;
}
location ~* authentication/register(.*) {
rewrite (.*)/authentication/register(.*) $1/people/register$2 break;
proxy_redirect off;
proxy_pass http://127.0.0.1:5004;
}
}
location ~* /backup {
proxy_pass http://127.0.0.1:5012;
}
location ~* /plugins {
proxy_pass http://127.0.0.1:5014;
}
location ~* /migration {
proxy_pass http://127.0.0.1:5034;
}
}
location /sso {
rewrite sso/(.*) /$1 break;
proxy_pass http://127.0.0.1:9834;
}
location ~* /storage/files_template/ {
proxy_pass http://127.0.0.1:5007;
}
location ~* /(ssologin.ashx|login.ashx|storage) {
proxy_pass http://127.0.0.1:5003;
}
location /socket.io/ {
proxy_pass http://127.0.0.1:9899;
proxy_redirect off;
}
location /backupFileUpload.ashx {
proxy_pass http://127.0.0.1:5012;
}
location /migrationFileUpload.ashx {
proxy_pass http://127.0.0.1:5000;
}
location /logoUploader.ashx {
proxy_pass http://127.0.0.1:5000;
}
location /logo.ashx {
proxy_pass http://127.0.0.1:5000;
}
location /payment.ashx {
proxy_pass http://127.0.0.1:5000;
}
location /ThirdPartyApp {
proxy_pass http://127.0.0.1:5007;
}
location ~* /filehandler.ashx {
proxy_pass http://127.0.0.1:5007;
}
location /ChunkedUploader.ashx {
proxy_pass http://127.0.0.1:5007;
}
location /apisystem {
rewrite apisystem/(.*) /$1 break;
proxy_pass http://127.0.0.1:5010;
}
location /apicache {
rewrite apicache/(.*) /$1 break;
proxy_pass http://127.0.0.1:5100;
}
location /healthchecks {
rewrite /healthchecks/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:5033;
}
error_page 401 /custom_401.html;
location = /custom_401.html {
root /etc/nginx/html;
internal;
}
error_page 403 /custom_403.html;
location = /custom_403.html {
root /etc/nginx/html;
internal;
}
error_page 404 /custom_404.html;
location = /custom_404.html {
root /etc/nginx/html;
internal;
}
error_page 500 502 503 504 /custom_50x.html;
location = /custom_50x.html {
root /etc/nginx/html;
internal;
}
}
Reference in New Issue View Git Blame Copy Permalink